Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-2368

associationFromLink seems not to remove account from entitlement when role is unassigned

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.0 (Newton), 3.1.1
    • Fix Version/s: 3.2 (Tycho)
    • Component/s: None
    • Labels:

      Description

      I have a meta-role which creates some group in AD for a role that has this metarole assigned.
      The meta-role also has order=2 inducement with associationFromLink statement to enable assignment of the role to the user.

      Assigning will add user to the group/entitlement that is created for that role by the metarole. But unassigning the role will NOT remove user from that group/entitlement.

      <role oid="00000000-dc00-dc00-0004-000000000218"
              xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
              xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
              xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
              xmlns:example="http://evolveum.com/example"
              xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
          <name>Meta-role XXX</name>
          <inducement>
          	<construction>
                  <resourceRef oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/>
                  <kind>entitlement</kind>
                  <intent>group-isovendor-isoapplication</intent>
          	</construction>
          </inducement>
      
      <!-- Second order inducement to be able to assign THIS role entitlements to users -->
      
          <inducement>
          	<construction>
                  <resourceRef oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/>
                  <kind>account</kind>
                  <intent>default</intent>
                  <association>
                      <ref>ri:adGroups</ref>
                      <outbound>
                          <expression>
                              <associationFromLink>
                                  <projectionDiscriminator>
                                      <kind>entitlement</kind>
                                      <intent>group-isovendor-isoapplication</intent>
                                  </projectionDiscriminator>
                              </associationFromLink>
                          </expression>
                      </outbound>
                  </association>
              </construction>
              <order>2</order>
          </inducement>
          <requestable>false</requestable>
      </role>
      

        Attachments

          Activity

            People

            Assignee:
            vix Ivan Noris
            Reporter:
            vix Ivan Noris
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: